SSPR allows you to configure settings to control interactions of SSPR with the back-end LDAP directory. You can select a template to configure the settings. SSPR provides templates to set default settings for your back-end directories. Changing the template will only affect values that are at their default. You can change the template at any time. Changing a template does not affect the modified settings.
SSPR provides the following templates for supported directories:
NetIQ eDirectory
Active Directory
Oracle Directory Server
NOTE:You can use the Unspecified template if you are using an unsupported directory.
Before configuring LDAP directory settings, you must import the corresponding LDAP server certificates.
In Configuration Manager, click Actions > Import LDAP Server Certificates to import LDAP server certificates.
The Global settings control the interaction with an LDAP directory. These settings are not applicable for the user's LDAP profile. To configure settings for the LDAP profile, see Profiles > LDAP Directory Profiles.
To configure LDAP settings, perform the following steps:
In Configuration Manager, click Templates and select a template.
NOTE:If you select NetIQ eDirectory, you can configure NMAS settings. See, Section 3.14, Configuring NetIQ eDirectory Settings.
If you have selected Active Directory - Store responses in a database, you must configure the database also. See Section 3.15, Configuring Database.
Click Settings > LDAP Settings.
Click View > Always Show Advanced Settings.
Configure the following settings:
Field |
Description |
---|---|
LDAP Naming Attribute |
Specify an attribute name that SSPR can use as the naming attribute on LDAP user entries. This attribute is the first part of the distinguished name of a user. This name is constant depending on the directory vendor type even if a different attribute is used for the login search filter. Typically, the naming attribute is cn or uid. |
LDAP Idle Timeout |
Specify the time how long an LDAP session can remain inactive before the session times out and the user must authenticate again. If you specify zero, the LDAP connection does not time out in the http session unless you close it. |
Administrator Query String |
Specify the LDAP query string to check whether a user can get the administrator rights. During the user login process, the system runs this query and determines if this user is an administrator. |
Last Password Update Attribute |
Specify an attribute to record when a password is updated and when the password is used during replication checks and other processes. |
User Object Class (Advanced) |
Specify object classes of user entries in your LDAP directory. |
Follow LDAP Referrals (Advanced) |
Select this check box if you want SSPR to follow the referral LDAPs. |
LDAP Duplicate Mode (Advanced) |
Select the appropriate mode that provides solution for searching the appropriate user from the list of multiple users. For multiple user matches found, you can control the user authentication. Select any one of the following options from the list:
|
User Selectable LDAP Context/Profile (Advanced) |
Select appropriate option from the following list to control the use of LDAP profiles and LDAP contexts during identification such as, login, forgotten password, and so on:
|
Ignore Unreachable LDAP Profiles (Advanced) |
Select this option if you want to ignore the profiles that are unreachable. This option is used when there are multiple LDAP profiles. A directory unavailable error message is displayed for the user when there is only a single configured LDAP Profile or all LDAP Profiles are unreachable. |
Click Actions > Save.